b'NRC: OIG/98A-16 - Review of NRC Controls to Prevent the Inadvertent Release of Sensitive Information\nSkip to Main Page Content\nSkip to Search\nSkip to Site Map Navigation\nSkip to Footer Links\nHome\nFAQ\nGlossary\nFacility Locator\nWhat\'s New\nSite Help\nIndex A-Z\nContact Us\nBrowse Aloud\nEmail Updates\nSearch NRC\nReport a Safety Concern\nNuclear Reactors\nPower Reactors\nResearch & Test Reactors\nOperating\xc2\xa0Reactors\nOperator\xc2\xa0Licensing\nNew Reactors\nAdvanced Reactors\nOperator Licensing for New Reactors\nNuclear Reactor Quick Links\nNuclear Materials\nSpecial\xc2\xa0Nuclear\xc2\xa0Material\nSource\xc2\xa0Material\nByproduct\xc2\xa0Material\nMed,\xc2\xa0Ind, & Academic Uses\nSource\xc2\xa0Materials\xc2\xa0Facilities\nUranium\xc2\xa0Recovery\nFuel\xc2\xa0Cycle\xc2\xa0Facilities\nMaterials Transportation\nNuclear Materials Quick Links\nRadioactive Waste\nDecommissioning of Nuclear Facilities\nLow-Level\xc2\xa0Waste\nWaste Incidental to Reprocessing\nHigh-Level\xc2\xa0Waste\nUranium\xc2\xa0Mill\xc2\xa0Tailings\nLow-Level\xc2\xa0Waste\xc2\xa0Disposal\nHigh-Level\xc2\xa0Waste\xc2\xa0Disposal\nStorage of Spent Nuclear Fuel\nTransporation of Spent Nuclear Fuel\nRadioactive Waste Quick Links\nNuclear Security\nDomestic\xc2\xa0Safeguards\nInformation\xc2\xa0Security\nRadioactive\xc2\xa0Material Security\nContact Us\nPublic Meetings & Involvement\nThe NRC Approach to Open\xc2\xa0Government\nAbout\xc2\xa0Meetings\xc2\xa0Open\xc2\xa0to the Public\nConferences\xc2\xa0&\xc2\xa0Symposia\nDocuments\xc2\xa0for\xc2\xa0Comment\nFacilitating\xc2\xa0Stakeholder\xc2\xa0Involvement\nNRC\xc2\xa0Information\xc2\xa0Quality\xc2\xa0Guidelines\nSubscribe to E-mail Updates\nCommission Schedule\nPublic\xc2\xa0Meeting\xc2\xa0Schedule\nAdjudications (Hearings)\nNRC Library\nBasic References\nDocument Collections\nADAMS Public Documents\nPublic Document Room\nGet Copies of Documents\nFOIA & Privacy Act Requests\nPhotos & Video\nRecords Management\nWithholding of Sensitive Information\nFAQ Index\nElectronic\xc2\xa0Hearing\xc2\xa0Docket\nAbout NRC\nThe Commission\nOrganization & Functions\nGoverning Legislation\nPlans,\xc2\xa0Budget,\xc2\xa0&\xc2\xa0Performance\nLocations\nHistory\nValues\nDirection-Setting & Policymaking\nRadiation Protection\nFire Protection\nSafety Culture\nHow We Regulate\nEmergency Preparedness & Response\nPublic Affairs\nCongressional Affairs\nInternational Programs\nState & Tribal Programs\nAlternative Dispute Resolution Programs\nCivil Rights\nContact Us\nCareer Opportunities\nContracting Opportunities\nGrant Opportunities\nPrint\nHome > NRC Library  > Document Collections > Inspector General\nReports > 1999\n> OIG/98A-16\nOIG/98A-16 - Review of NRC Controls to Prevent the Inadvertent Release of Sensitive Information\nFebruary 3, 1999\nMEMORANDUM TO:\nChairman Jackson\nFROM:\nThomas J. Barchi Assistant Inspector General for Audits\nSUBJECT:\nREVIEW OF NRC CONTROLS TO PREVENT THE INADVERTENT RELEASE OF SENSITIVE\nINFORMATION\nAttached is the Office of the Inspector General\'s audit report titled "Review of NRC Controls to Prevent the Inadvertent Release of Sensitive Information." Due to recent releases of sensitive information, you requested that the Office of the Inspector General conduct an agencywide review of the controls to prevent such unauthorized releases.\nOn December 21, 1998, we provided a draft of this report to the Chief Information Officer (CIO). On January 25, 1999, the CIO responded to our draft report and generally agreed with the report\'s findings and recommendations. He partially agreed with our first recommendation and suggested alternate wording. The CIO\'s comments are contained in Appendix II of this report.\nPlease contact me on 415-5915 if we can assist you further in this matter.\nAttachment: As stated\ncc:\nCommissioner Dicus\nCommissioner Diaz\nCommissioner McGaffigan\nCommissioner Merrifield\nReport Synopsis\nIntroduction\nBackground\nFindings\nAgency Guidance and Policies Regarding Sensitive Information--Adequate\nBut Scattered\nStaff Usually Implement Agency Guidance, But Have Varying\nLevels of Training and Awareness\nADAMS Sensitive Information Security Planning and Training\nAre Imperative\nConclusion\nRecommendations\nAppendices\nI. Agency Comments\nII. Objectives, Scope, and Methodology\nIII. U.S. NRC Organizational Chart\nIV. NRC Guidance/Policy Regarding Sensitive Information\nV. Sample of Resources Available to Nrc Employees Responding to Foia Requests\nVI. Agency "Good Practices"\nVII. Glossary\nVIII. Major Contributors to this Report\nIX. Glossary:   Office of The Inspector General Products\nInvestigative\nAudit\nRegulatory\nReport Synopsis\nThe Chairman of the U.S. Nuclear Regulatory Commission (NRC) requested that the Office of the Inspector General conduct an agencywide review of the controls protecting the agency\'s sensitive information from unauthorized release. Our overall objectives in conducting this audit were to determine if NRC\'s management controls protecting sensitive unclassified information from inadvertent release are adequate and if agency guidance is being implemented. Additionally, we reviewed the development plans for the Agencywide Documents Access and Management System (ADAMS), NRC\'s upcoming electronic document management system, to determine if appropriate security measures will be taken to protect sensitive information.\nNRC controls preventing the unauthorized release of sensitive information generally appear adequate, yet occasionally, unintentional unauthorized releases of sensitive information occur. We believe the agency can take steps to improve its processes and enhance employee awareness. We found the agency\'s guidance and policies on sensitive information to be scattered among at least 38 management directives, manuals, and other resources. Furthermore, we found that the guidance, particularly the information contained in the management directives, is not consistently cross-referenced or indexed. We also found that agency staff have varied levels of training and awareness regarding sensitive information, increasing the potential for inadvertent releases to occur.\nWith regard to ADAMS, we found that security measures for protecting sensitive information are still under development. Therefore, we were unable to test the effectiveness of the proposed measures. However, NRC needs to assure that it identifies and addresses information security requirements prior to implementing ADAMS to minimize the chance of inadvertent release.\nOur report makes four recommendations to improve the effectiveness of NRC\'s sensitive unclassified information protection program. In addition, our work identified numerous "good practices" used by individual offices and regions. We have included a listing of those "good practices" as an appendix to our report so that agency managers may consider their use on a case-by-case basis.\nIntroduction\nDue to recent releases of sensitive information, the Chairman of the U.S. Nuclear Regulatory Commission (NRC) requested that the Office of the Inspector General (OIG) conduct an agencywide review of the controls to prevent such unauthorized releases. Because agency employees deal with sensitive unclassified information in a variety of forms on a daily basis, there are many opportunities for unauthorized releases of information to occur. Furthermore, the premature or unauthorized release of sensitive information could have adverse effects on the agency.\nBecause of the extensive restrictions on employee access to classified information, we focused our review exclusively on unclassified information. Also, recognizing the agency\'s inability to preclude intentional release of sensitive information,(1) our review covered only inadvertent unauthorized releases of this information.\nOur overall objectives were to determine if NRC\'s management controls protecting\nsensitive unclassified information from inadvertent release are adequate and\nif agency guidance is being implemented. Additionally, we reviewed the development\nplans for the agency\'s new electronic document management system to determine\nif appropriate security measures will be taken to protect sensitive information.\nAppendix I contains additional information on our objectives, scope, and methodology.\nBackground\nThe agency defines sensitive information in Management Directive 12, "Glossary," as "data that requires a degree of protection because of the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the data." Categories of sensitive unclassified information include personal, proprietary, predecisional, and investigatory data.\nThe NRC\'s policy is to release agency health and safety related information to the public in keeping with the spirit of openness required by the Freedom of Information Act (FOIA). However, the agency must also comply with its legal obligations to protect information and its decision-making and investigative processes. While the NRC protects predecisional information from inadvertent release, the release of this information may be required to resolve a significant safety or safeguards issue or an emergency. Furthermore, the NRC also strives to protect the identity of allegers and confidential sources. That is, the agency will make all reasonable efforts to protect the identity of anyone who brings safety concerns to the NRC consistent with applicable statutes.\nIn addition, the agency is preparing to implement the Agencywide Documents Access and Management System (ADAMS) beginning in March 1999. ADAMS is an electronic information system that will maintain NRC\'s unclassified records in a centralized electronic document repository. NRC staff are addressing information security, including the protection of sensitive information contained in the system, as part of the ADAMS development process.\nFindings\nNRC controls preventing the unauthorized release of sensitive information appear\nadequate and are usually implemented by the NRC staff. However, opportunities\nexist to further reduce the risk of inadvertent releases of sensitive information\nthrough improved access and enhanced employee awareness of pertinent guidance.\nIn this section, we will discuss our findings with regard to the agency\'s guidance\nconcerning sensitive information, implementation of that guidance, and plans\nfor protecting sensitive information in ADAMS.\nAgency Guidance and Policies Regarding Sensitive Information--Adequate But\nScattered\nAlthough NRC\'s management controls for protecting sensitive information from inadvertent release appear adequate, the agency\'s guidance and policies are scattered among many management directives, manuals, and other documents. Furthermore, we found that the guidance, particularly the information contained in the management directives, is not consistently cross-referenced or indexed. As a result, the potential exists for staff to miss pertinent guidance or apply it incorrectly.\nFor optimal benefit, agency guidance and policies regarding the protection of sensitive information should be easy to identify and access. NRC employees deal with many forms of sensitive information such as investigative reports, draft inspection reports, and proprietary information. According to a former Executive Director for Operations (EDO),(2) employees are prohibited from releasing sensitive information in violation of the NRC\'s procedures and will be subject to appropriate disciplinary action or may be subject to other legal liability. Therefore, staff need easy access to the procedures and policies governing the release of sensitive information.\nWe found agency guidance and policy relating to the protection of sensitive information in a variety of forms. NRC employees need to review numerous management directives, manuals and handbooks, NUREG publications, regional and office procedures, and other communications such as e-mail messages and memoranda to find all the pertinent guidance related to sensitive information. In total, we identified more than 38 sources that provide agency guidance relating to the subject (see Appendix IV). The figure in Appendix V illustrates the agency\'s process flow regarding sensitive information guidance. This flow chart is an example of some resources that agency employees use to respond to FOIA requests.\nFurthermore, agency guidance relating to sensitive information is not indexed or consistently cross-referenced. For example, the agency\'s own FOIA Audit(3) report recommended that Management Directive 3.1, "FOIA," be referenced to Management Directive 8.8, "Management of Allegations." A member of the audit team related that one of their biggest concerns was that not all management directives on the issue were cross-referenced to each other. As stated, we identified more than 38 sources, including 25 management directives, that provide agency guidance relating to sensitive information. Agency staff are currently revising several related management directives and some guidance is already cross-referenced; however, more needs to be done because sensitive information touches many subjects.\nBecause agency guidance relating to sensitive unclassified information is scattered\nand not easy to identify, the potential exists for missing pertinent guidance\nor applying it incorrectly. For example, NRC recently experienced an inappropriate\nrelease of names and identifying information in two FOIA responses resulting\nin legal action against the agency. We believe that techniques such as indexing\nand cross-referencing of pertinent agency guidance could further minimize the\nrisk of inadvertent release of sensitive information.\nStaff Usually Implement Agency Guidance, But Have Varying Levels of Training\nand Awareness\nWhile NRC offices and regions usually implement agency guidance as it applies to their missions, inadvertent releases of sensitive information occasionally occur. We believe that these releases may occur because agency staff have varied levels of training and awareness regarding sensitive information. While the agency\'s overall record on protecting sensitive information appears adequate, even one unauthorized release can have far-reaching consequences that could ultimately interfere with NRC\'s ability to perform its regulatory and public health and safety missions.\nAlthough NRC policy does not explicitly state that the agency\'s goal is to have no inadvertent releases of sensitive information, this goal is implied in various management directives and other forms of agency guidance. Furthermore, as mentioned in the preceding section, NRC employees are held personally accountable for protecting sensitive information in accordance with NRC procedures.\nWe found that despite the obvious good intentions by NRC staff, inadvertent releases of information to the public sometimes do occur. NRC does not perform any centralized tracking of inadvertent releases of sensitive information, but information provided by the Office of the Chief Information Officer (OCIO) and Office of the Executive Director for Operations (OEDO) staff, and anecdotal information gathered through our interviews, suggest that the number of inadvertent releases is relatively small. According to statistics provided by OCIO staff, during the first 11 months of fiscal year 1998, 67,398 documents were sent to the NRC\'s Public Document Room (PDR). Of that total, 52 -- or less than 1 percent -- were withdrawn from the PDR. Some of these documents were withdrawn because they contained sensitive information and had been sent to the PDR in error. Reportedly, almost half of the withdrawals occurred before the items were actually placed on the PDR shelves.\nOEDO staff also provided information pointing to a relatively small number of inadvertent releases of sensitive information. Management Directive 3.4 requires NRC office directors and regional administrators to inform the EDO in writing of corrective action taken in response to any inadvertent release of information to the public. While OEDO staff do not formally track these documents, they said that their office receives only about two such memoranda per year.\nOur review disclosed that inadvertent releases of sensitive information may be attributable to the varying levels of staff training and awareness of applicable guidance. For the most part, staff appeared generally aware of the agency\'s guidance concerning sensitive information as it applies to their offices\' missions. However, we noted varying levels of staff knowledge and understanding about the guidance. For example, in one incident of inadvertent release, staff misunderstood their responsibilities under agency FOIA procedures; in others, staff conveyed sensitive information verbally either in an inappropriate setting or to inappropriate individuals. In yet another case, staff misapplied their own office procedures for sending material to the PDR resulting in the public perception that NRC was involved in a cover-up. Other releases occurred due to miscommunication among staff members or when staff mistakenly shuffled sensitive information in with a stack of non-sensitive material.\nIn addition, agency staff members expressed concern regarding what they perceive as "conflicting goals" in NRC\'s guidance regarding sensitive information. The conflict, as seen by staff, is between the need to release information under FOIA and the need to protect the identity of allegers and confidential sources. Although the perceived notion of conflicting goals is outside the scope of our review, we recognize the importance of achieving balance between the two goals. We believe there is a need for additional employee education regarding NRC\'s open disclosure policy and NRC\'s policy for protecting allegers and confidential sources.\nWe also found that many headquarters and regional offices had developed their own practical and workable techniques to protect sensitive information in their jurisdiction. A list of these agency "good practices" appears in Appendix VI of this report. However, our review also showed that different offices and regions pursue staff training on sensitive information in different ways. In some offices, co-workers convey procedural information to new employees, while other offices supplement such on-the-job training with written procedures and training sessions.\nWhile the number of inadvertent releases of sensitive information appears to be relatively small, it is critical to note that even one unauthorized release of sensitive information can have far reaching effects. One of the clearest examples of this pertains to the role that allegers play in nuclear industry health and safety matters. NRC policy encourages individuals to come forward and identify safety concerns to their employers or to the NRC. The same policy emphasizes the need to protect the identities of these individuals "to preclude potential retaliation by employers against individuals raising concerns to the NRC." In this case, the link between protecting identities and health and safety implications is obvious. If individuals lose confidence that NRC will protect their identity, they may hesitate to come forward and report what they perceive as safety concerns or wrongdoing. This could jeopardize the effectiveness of NRC\'s oversight activities.\nOur review suggests that while NRC staff generally are successful in preventing\ninadvertent releases of sensitive information, there is opportunity to reduce\nrisk by heightening employee awareness through training and education. While\nsome NRC offices and regions offer training courses relevant to specific sensitive\ninformation topics periodically, we were unable to identify any agencywide training\nrequirement to regularly heighten employee awareness about their responsibility\nwith regard to all categories of sensitive information. The incidents of inadvertent\nrelease that we reviewed seem to share, at their root, a lack of awareness by\nsome staff members of the appropriate way to handle sensitive unclassified information\nand suggest that additional training is warranted.\nADAMS Sensitive Information Security Planning and Training Are Imperative\nAs NRC prepares to move into an electronic document management environment, it is important that sufficient attention is paid to protecting all categories of sensitive information. According to OCIO staff, they intend to include all current sensitive information protection measures in ADAMS, the agency\'s automated document management and workflow system currently under development. If ADAMS security planning does not account for all categories of sensitive information, categories not accounted for may make their way into the public domain. In addition, if NRC does not adequately train its employees in applying appropriate security measures, accidental releases may occur.\nTo assure that all current sensitive information protection measures will be incorporated into ADAMS, OCIO staff said they have developed strategies for overall system security, specific library security, and individual document security. Overall system security protects against threats to penetrate, corrupt, or disable the system. In this regard, NRC has performed a risk assessment and will develop and test a detailed security and disaster recovery plan before implementing ADAMS. Library security refers to the measures invoked to protect specific groupings of information. Agency allegation information has already been flagged to receive special library protection. OCIO staff said ADAMS will also require that NRC staff mark and categorize each document according to its sensitivity level. If staff label a document as "sensitive," appropriate warning labels will be visible on the computer monitor and on the document when printed. In addition, OCIO staff plan to provide general ADAMS training that will address sensitive information protection measures, and noted that such training might be mandatory for each NRC employee. OCIO staff expect that NRC headquarters and regional office staff will develop their own sensitive information protection programs using the available ADAMS library and document security functions and inform their employees regarding these measures.\nSince the security plan for ADAMS is currently under development, we were unable to test the effectiveness of the proposed measures. However, we note that if NRC does not properly identify all sensitive libraries needing additional protection measures and comprehensive training is not taken by staff before ADAMS is implemented, sensitive unclassified information could be inadvertently released.\nConclusion\nAlthough NRC controls protecting sensitive unclassified information appear to be adequate and usually well implemented, occasionally, unintentional releases of sensitive information still occur. The unauthorized release of sensitive information could have far reaching effects on the agency. For example, it could diminish the NRC\'s ability to perform the regulatory function assigned it and to protect public health, safety, and the environment. It could also lead to decreased respect for the NRC and loss of credibility with the public and other Federal agencies. In some cases, a release could invade an individual\'s privacy or compromise a confidential agreement. We believe the agency can improve its current sensitive information protection program by making its policies and procedures easier to identify and by providing training to heighten NRC staff awareness. In addition, NRC needs to assure that it identifies and addresses its information security needs prior to implementing ADAMS.\nRecommendations\nTo improve the effectiveness of NRC\'s sensitive unclassified information protection program and to ensure the program remains effective when ADAMS is implemented, we recommend that the Chief Information Officer (CIO):\nLook for opportunities to consolidate the guidance on protecting sensitive\ninformation with a view towards reducing the number of sources of such guidance.\nIn addition, create a management directive index that would list and provide\nthe location of all guidance related to sensitive information. In addition,\nreview existing directives to ensure that each is adequately cross-referenced\nto other related guidance.\nMake the management directives (and corresponding handbooks) available\non NRC\'s web site to facilitate easy search and retrieval of pertinent guidance.\nEducate all employees on a regular basis to increase their awareness regarding\nsensitive information.\nProvide agencywide mandatory training on the protection of sensitive information\nin ADAMS before implementing the system. In addition, provide more detailed\ncourses, tailored to specific sensitive office functions.\nAppendices\nI. Agency Comments\nOn January 25, 1999, the CIO responded to our draft report. We have included the response in Appendix II of this report.\nThe CIO generally agreed with the report\'s findings and recommendations. He partially agreed with our first recommendation and suggested alternate wording. We reviewed Management Directive 3.4, Release of Information to the Public (approved for publication by the Executive Director for Operations on 1/25/99), and disagree that this document satisfies the objective of our recommendation. While recognizing that the revised Management Directive 3.4 contains more cross-referencing and information than its predecessor, we believe this does not constitute a complete index that identifies and provides the location of all guidance related to sensitive information. (For further clarification of the term "index," please refer to the definition of the term which we included in Appendix VII, Glossary.) We incorporated a portion of the CIO\'s alternate wording into our recommendation to clarify the notion of cross-referencing, and left the remainder of the recommendation as originally stated. We note that the CIO\'s wording suggests a promising approach for meeting our intent with regard to consolidation.\nWhile agreeing with our second recommendation, the CIO commented that the Office of Administration has recently announced to NRC employees the availability of the agency\'s Management Directives on CD-ROM. Additionally, a searchable version of this guidance will be available on the NRC\'s website by October 1, 1999. While looking forward to the availability of the Management Directives online, we caution that this version should allow for real-time updates to coincide with revisions to the Management Directives.\nBeside responding to our recommendations, the CIO provided comments on several of the report\'s findings. The CIO\'s memo indicated that he found our use of the word "scattered" to be negative and that he believes OIG views this condition as "a problem." In fact, we do not believe that the number of guidance sources is in and of itself a problem. Rather, the important issue is one of accessibility. Because so many sources of guidance on handling sensitive information exist, and there is no central index of these sources for employees, it seems probable that a staff member could miss pertinent guidance. This is particularly important since NRC employees are held personally accountable for protecting sensitive information.\nThe CIO\'s memo states that the report fails to recognize that Management Directive 3.4 "already serves as a single reference for guidance on the release of information to the public." We have reviewed the recently approved Management Directive 3.4 and believe that it provides an overview of the topic of sensitive information, but does not cover the topic fully enough to serve as a "single reference." Again, we emphasize our view that an index to all other guidance related to sensitive information is needed to optimize an employee\'s ability to access the appropriate guidance.\nThe CIO further asserts that the report does not cite examples of problems arising out of "varied levels of training." To the contrary, the last paragraph on page 4 of the report describes the varying levels of staff training and awareness of applicable guidance we observed, and it lists specific examples of problems that have occurred due to varying levels of staff knowledge and understanding about the agency\'s guidance. We believe there is an obvious link between training and knowledge/awareness and that the CIO indicates concurrence with this view. In his memo, he agrees with our third recommendation and states "in light of this report, we will have all offices review their areas of sensitive information and identify needs for increased awareness and training and take appropriate action to ensure that this is accomplished."\nThe CIO\'s memo also pointed out the need to reword an agency "good practice" listed in Appendix VI of the report. We made the appropriate change to our description of the good practice.\nFinally, in response to a January 8, 1999, memo sent to OIG from the Chairman,\nExecutive Council (EC), we have redirected our recommendations. Because our\nrecommendations affect the entire agency, we initially directed them to the\nEC. However, we were informed that actions should not be assigned to the EC\nas a body, but rather to a specific organizational component within the NRC.\nIn this case, the Chairman, EC, asked that we direct our recommendations to\nthe CIO.\nII. Objectives, Scope, and Methodology\nThe objectives of our audit were to:\xc2\xa0\xc2\xa0 (1) determine if NRC\'s management controls protecting sensitive information from inadvertent release are adequate; (2) determine if offices/regions are implementing the agency\'s guidance to protect sensitive information from inadvertent release; and (3) determine if the Agencywide Document Access and Management System (ADAMS) development process is taking into consideration the need to protect sensitive data from unauthorized release. Our audit focused on a review of the agency\'s controls to prevent the unauthorized release of sensitive information and the adequacy and implementation of those controls.\nTo determine if the agency\'s management controls for protecting sensitive information from inadvertent release are adequate, we reviewed NRC\'s policies and procedures. We also reviewed agency data to determine how many documents are sent to the Public Document Room and how many documents were sent in error for fiscal year 1998. Furthermore, we interviewed senior agency managers and their staff members to identify the internal procedures used by offices and regions for protecting sensitive information.\nIn addition, we interviewed Office of the Chief Information Officer staff and reviewed related documentation to identify the agency\'s planned approach for protecting sensitive data from inadvertent release once ADAMS is implemented.\nOur audit was conducted from August 1998 to November 1998 in accordance with generally accepted Government auditing standards.\nIII. U.S.\nNRC Organizational Chart\nIV. NRC Guidance/Policy Regarding Sensitive Information\nDocument\nDescription/Objectives\n1\nManagement Directive (MD) 3.1 -- Freedom of Information Act\n(FOIA)\nDefines responsibilities/authorities for processing FOIA\nrequests and informs staff of the types of records that can be released\nor are exempt (FOIA exemptions included).\n2\nMD 3.2 -- Privacy Act\nTo ensure the lawful use of identifiable personal information.\n3\nMD 3.4 -- Release of Information to the Public\nGeneral policy guidance on the public release of information\n(e.g., draft, predecisional). Also includes information on the Nuclear Documents\nSystem (NUDOCS) and the Public Document Room (PDR).\n4\nMD 3.7 -- Unclassified Staff Publications in the NUREG Series\nTo ensure that sensitive unclassified information is not\ncompromised by the release or publication of information by NRC.\n5\nMD 3.8 -- Unclassified Contractor and Grantee Publications\nin the NUREG Series\nTo ensure that sensitive unclassified information is not\ncompromised by the release or publication of information by NRC.\n6\nMD 3.11 -- Conferences and Conference Proceedings\nTo ensure that classified or sensitive unclassified information\nis not released at public conferences or in publicly released conference\nproceedings.\n7\nMD 3.12 -- Handling and Disposition of Foreign Documents\nand Translations\nTo assign responsibilities and establish procedures for handling\nunclassified, sensitive unclassified, and classified foreign documents and\ntheir translations.\n8\nMD 3.23 -- Mail Management\nTo ensure that classified and unclassified sensitive information\nis not compromised by handling, marking, preparing, and transmitting such\ninformation.\n9\nMD 3.50 -- Document Management\nIncludes information on NUDOCS and guidelines protecting\nproprietary and copyrighted material.\n10\nMD 3.53 -- NRC Records Management Program\nTo foster effective and efficient filing and records management\npractices including the protection of sensitive unclassified information.\n11\nMD 7.4 -- Reporting Suspected Wrongdoing and Processing Office\nof the Inspector General (OIG) Referrals\nTo describe NRC management responsibilities in handling OIG\ninvestigative referrals and reports.\n12\nMD 8.8 -- Management of Allegations\nGuidance regarding the allegations program, including the\nprotection of allegers\' identities.\n13\nMD 8.9 -- Accident Investigation\nNotes that Director, Accident Review Group, is charged with\npreparing and reviewing all data for classified or sensitive unclassified\ninformation and distributing the investigation report and related documents.\n14\nMD 9.7 -- Organization and Functions, Office of the General\nCounsel (OGC)\nLists OGC\'s functions, including the service it provides\nin connection with FOIA and Privacy Act administration.\n15\nMD 9.13 -- Organization and Functions, Office of Congressional\nAffairs (OCA)\nLists OCA\'s functions, including the responsibility it has\nto use a special cover letter when transmitting documents to Congress that\nare not publicly available (unclassified).\n16\nMD 9.21 -- Organization and Functions, Office of Administration\n(ADM)\nLists ADM as having responsibility for the FOIA and Privacy\nAct programs. However, MD 9.21 is out of date. Per NRC Yellow Announcement\nNo. 16, dated 2/12/98, these programs are under the Office of the Chief\nInformation Officer.\n17\nMD 10.159 -- Differing Professional Views or Opinions (DPV/DPO)\nIncludes guidance for determining which DPV/DPO documents\nor portions of documents should or should not be released to the public.\n18\nMD 11.1 -- NRC Acquisition of Supplies and Services\nIncludes guidance for ensuring that, when necessary, contractors\nare approved for access to sensitive unclassified information.\n19\nMD 11.7 -- NRC Procedures for Placement and Monitoring of\nWork with The U.S. Department of Energy (DOE)\nIncludes guidance for providing sensitive unclassified information\n(including proprietary and safeguards) to DOE.\n20\nMD 12 -- Glossary\nDefines sensitive information.\n21\nMD 12.1 -- NRC Facility Security Program\nTo ensure that classified and sensitive unclassified information\nis protected from unauthorized disclosure.\n22\nMD 12.3 -- NRC Personnel Security Program\nTo provide effective controls to further protect classified\nand sensitive unclassified information.\n23\nMD 12.4 -- NRC Telecommunications Systems Security Program\nTo safeguard classified or sensitive unclassified information\ncommunicated over telecommunications systems (e.g., telephones, facsimiles,\nnetworks).\n24\nMD 12.5 -- NRC Automated Information Systems (AIS) Security\nProgram\nTo safeguard AIS facilities and classified safeguards information\n(SGI) and sensitive unclassified information that is processed, stored,\nor produced on AISs.\n25\nMD 12.6 -- NRC Sensitive Unclassified Information Security\nProgram\nIncludes guidance concerning required markings on proprietary\nand other documents.\n26\nManual Chapter 4161 -- Employee Health Services Program\nAddresses the confidentiality of health and medical records.\n27\n12/17/93 (Office of the Executive Director for Operations)\nMemo:\xc2\xa0\xc2\xa0 FOIA Disclosure Policy\nAdvises that "foreseeable harm" must be shown when withholding\ninformation from release (per the Department of Justice\'s and President\nClinton\'s FOIA guidance).\n28\nNRC Enforcement Manual\nIncludes guidance on the proper handling and marking of predecisional\nenforcement information.\n29\nNRC Inspection Manual\nCovers draft inspection reports, FOIA requests, and PDR releases.\n30\nOperating Reactor Project Manager\'s Handbook\nIncludes guidance on how project managers should handle and\nprocess sensitive information and FOIA requests and allegations.\n31\nCommission Policy Statement on Protecting the Identity of\nAllegers and Confidential Sources\nProvides the distinction between allegers and confidential\nsources and how the agency "protects" these two groups.\n32\nCode of Federal Regulations (CFR) 10, Energy\nProvides guidance on public inspections, exemptions, requests\nfor withholding official records, and public records provisions.\n33\nNUREG/BR-0027 NRC Security:\xc2\xa0\xc2\xa0 You Are the Key\nProvides general information regarding sensitive unclassified\ninformation at NRC.\n34\nNUREG/BR-0124 FOIA Handbook\nProvides NRC policies/procedures regarding FOIA. NOTE:\nPer OGC, the Handbook is out of date and does not reflect current procedures.\nHowever, some NRC staff still find it a useful reference tool.\n35\nNUREG/BR-0168 Security Policy for Processing and Handling\nof Sensitive Unclassified Information in the Agency Upgrade of Technology\nfor Office Systems (AUTOS)/Local Area Network (LAN) Environment\nProvides information on processing and handling sensitive\nunclassified information in an AUTOS/LAN environment.\n36\nNUREG-0794 Protection of Unclassified Safeguards Information\nAssists licensees and other persons who possess Safeguards\nInformation in establishing an information protection system that satisfies\nthe requirements of 10 CFR 73.21.\n37\nYellow Announcement No. 21, 03/19/97, RE:\xc2\xa0\xc2\xa0 Staff\nInternet Use\nProvides interim guidance concerning the use of the Internet\nand sensitive information.\n38\nVarious regional procedures/instructions, office procedures/instructions\nProvides guidance on numerous topics relating to the protection\nof sensitive information.\nV. Sample of Resources Available to NRC Employees Responding to FOIA Requests\nVI. Agency "Good Practices"\nThe agency\'s management directives pertaining to sensitive information prescribe basic controls to be used to prevent inadvertent release of such information. However, there are additional controls, which go beyond the management directive prescriptions, that offices can take to assure protection of sensitive information.\nMany offices have their own specific procedures that supplement the agency\'s overall guidance, and many implement certain measures which they find particularly useful for their specific mission within NRC. During the course of our audit, we compiled a collection of some of these agency "good practices." We present them in this appendix to offer options for managers to consider and perhaps to adopt or modify to suit their unique sensitive information needs:\nIn addition to covering allegation material with a blue cover sheet, one\nregion uses a bright yellow folder to cover allegations information.\nOne region uses a folder color scheme to help staff distinguish the different\ntypes of documents, e.g., blue folder = allegation materials, green folder\n= Safeguards Information (SGI).\nOne region stores SGI on green diskettes and security information on red\ndiskettes.\nAs part of their orientation, all new NRC employees in one region receive\na briefing on the Freedom of Information Act (FOIA) process from the regional\ncounsel and the FOIA coordinator. Materials provided by the coordinator\ninclude a briefing document which is in bulleted form and is clear and concise.\nA senior public affairs officer in one region spends 15 to 30 minutes with\neach new employee, providing guidance on handling inquiries and their responsibilities\nfor protecting sensitive information.\nOrientation training is provided by the FOIA Branch upon request for FOIA\ncoordinators or others who are interested. The training program, which covers\nthe FOIA process, is flexible and can be tailored to meet individual participants\'\nneeds.\nNew employee orientation at headquarters includes a short presentation\non the protection of sensitive information. Handouts are provided.\nIn several offices and regions, the entire staff is trained annually on\nallegations information sensitivity.\nOne region compiles lessons learned from all the regions throughout the\nyear and incorporates them in its annual allegations refresher training,\nwhich is required of every employee.\nIn the regions, when a mistake is made, the regional administrator calls\nthe other regions and shares the experience with them so they can learn\nfrom each other.\nSome regions generate a weekly FOIA log sheet to show the status of FOIA\nrequests within the region.\nIn one region, requests for information received from the general public\nare usually forwarded to the region\'s public affairs officer.\nMost information released to the public is done through a regional public\naffairs officer, and staff are supposed to let the public affairs officer\nknow when they do provide information to the public.\nOne regional enforcement office destroys all draft information and purges\ncomputer files after the enforcement package is finalized.\nInformation sent to allegers is mailed in unfranked, nondescript envelopes,\nand allegers are instructed to send information back to NRC via a post office\nbox.\nRegional allegations staff review all FOIA requests to see if they involve\nallegations unless they clearly are personnel or financial related. If they\ndetermine that the FOIA request comprises allegation material, the office\ngets involved in a final review as well.\nIn one region, all allegations related materials are reviewed by the region\'s\nsenior allegations coordinator.\nSecretarial staff in one region performed a correspondence audit on 6 months\nof randomly selected correspondence. This self-audit looked for sensitive\ninformation issues.\nIn one region, each division has a FOIA coordinator, in addition to the\nmain regional coordinator.\nIn one region, the regional counsel presents FOIA training that includes\na review of the exemptions.\nIn one region, staff request that the FOIA Branch notify them in writing,\nvia e-mail, why the FOIA Branch released information under a FOIA request\nthat regional staff had bracketed to be redacted.\nIn one region, staff have been trained on what constitutes an official\nagency record. In addition, a file clerk ensures that staff destroy records\nwhen they are supposed to do so.\nSecretaries in one region have been given training and supplemental notebooks\non Regulatory Information Distribution System (RIDS) codes.\nIn one region, the operator licensing branch has a file guide that shows\nwhich documents should be retained.\nIn one region, operator licensing branch staff have a statement in their\nelements and standards that speaks to their responsibility for controlling\ndraft and internal information in accordance with NRC policy.\nThere is an approximate 2-week delay, which serves as a safety net, between\nthe sending of a document to the Public Document Room (PDR) and actual placement\nof the item on PDR shelves.\nTo heighten staff awareness regarding the protection of sensitive information,\nad hoc briefings are held in one headquarters office to address related\ntopics, particularly after a relevant issue arises.\nYellow announcements and other reminders from senior management address\nthe need to protect sensitive information.\nAgency allegations advisor or agency allegations specialist conducts a\nfinal review on FOIA packages containing allegations material, before the\nmaterial is returned to the FOIA branch to be sent out.\nIn one region, the operator licensing assistant gives a verbal warning\nabout the private nature of the files before giving out any file for review.\nIn one headquarters office, pre-made stickers are placed on documents containing\nsensitive information indicating the type of sensitive information and the\ndistribution rules.\nVII. Glossary\nClassified Information\nInformation (such as a document or correspondence) that is designated National Security Information, Restricted Data, or Formerly Restricted Data.\nConfidential Source\nAny individual or organization that has provided or that may reasonably be expected to provide information to the United States on matters pertaining to the national security or law enforcement with the expectation, expressed or implied, that the information or relationship, or both, be held in confidence.\nFreedom of Information Act (FOIA)\nGenerally provides that any person has a right, enforceable in court, of access to federal agency records, except to the extent that such records (or portions thereof) are protected from disclosure by one of nine exemptions or by one of three special law enforcement record exclusions.\nIndex\nSomething that serves to guide, point out, or otherwise facilitate reference, e.g., an alphabetized listing of names, places, and subjects included in a printed work that gives for each item the page on which it is mentioned.\nProprietary Information\n(Reference Sensitive Information.) Trade secrets; privileged or confidential research, development, commercial, or financial information, exempt from mandatory disclosure under 10 CFR Part 2 (Sections 2.740 and 2.790) and under 10 CFR Part 9 (section 9.5); and other information submitted in confidence to the NRC by a foreign source and determined to be unclassified by the NRC.\nSensitive Information\nThat data that requires a degree of protection because of the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the data. This term includes Proprietary Information, unclassified Safeguards Information, naval nuclear propulsion information, and other information withheld from public dissemination under the Freedom of Information Act, the Privacy Act, or the Atomic Energy Act and information not exported to foreign countries or that must not be disclosed to foreign countries. It also includes sensitive unpublished and otherwise unavailable fuel cycle information relating to the technology of enrichment or reprocessing.\nUnclassified Information (Sensitive)\nIncludes unclassified Safeguard s Information, Official Use Only information, and Proprietary information.  It also includes unclassified information from other Government agencies and sources outside of NRC and its contractors and licensees that requires special protective measures. Markings used by these agencies and sources include, for example, For Official Use Only, Company Confidential, and Private.\nUnclassified Safeguards Information\n(Reference Sensitive Information.) Sensitive unclassified information that specifically identifies the detailed security measures of a licensee or an applicant for the physical protection of special nuclear material; or security measures for the physical protection and location of certain plant equipment vital to the safety of production or utilization facilities. Protection of this information is required pursuant to Section 147 of the Atomic Energy Act of 1954, as amended.\nVIII. Major Contributors to this Report\nCorenthis B. Kelley Team Leader\nJudith L. Leonhardt Senior Auditor\nCheryl A. Miotla Management Analyst\nJudy G. Gordon Management Analyst\nIX. Glossary: Office of The Inspector General Products\nInvestigative\n1.INVESTIGATIVE REPORT - WHITE COVER\nAn Investigative Report documents pertinent facts of a case and describes available evidence relevant to allegations against individuals, including aspects of an allegation not substantiated. Investigative reports do not recommend disciplinary action against individual employees. Investigative reports are sensitive documents and contain information subject to the Privacy Act restrictions. Reports are given to officials and managers who have a need to know in order to properly determine whether administrative action is warranted. The agency is expected to advise the OIG within 90 days of receiving the investigative report as to what disciplinary or other action has been taken in response to investigative report findings.\n2.EVENT INQUIRY - GREEN COVER\nThe Event Inquiry is an investigative product that documents the examination of events or agency actions that do not focus specifically on individual misconduct. These reports identify institutional weaknesses that led to or allowed a problem to occur. The agency is requested to advise the OIG of managerial initiatives taken in response to issues identified in these reports but tracking its recommendations is not required.\n3.MANAGEMENT IMPLICATIONS REPORT (MIR) - MEMORANDUM\nMIRs provide a "ROOT CAUSE" analysis sufficient for managers to facilitate\ncorrection of problems and to avoid similar issues in the future. Agency tracking\nof recommendations is not required.\nAudit\n4.AUDIT REPORT - BLUE COVER\nAn Audit Report is the documentation of the review, recommendations, and findings resulting from an objective assessment of a program, function, or activity. Audits follow a defined procedure that allows for agency review and comment on draft audit reports. The audit results are also reported in the OIG\'s "Semiannual Report" to the Congress. Tracking of audit report recommendations and agency response is required.\n5.SPECIAL EVALUATION REPORT - BURGUNDY COVER\nA Special Evaluation Report documents the results of short-term, limited assessments.\nIt provides an initial, quick response to a question or issue, and data to determine\nwhether an in-depth independent audit should be planned. Agency tracking of\nrecommendations is not required.\nRegulatory\n6.REGULATORY COMMENTARY - BROWN COVER\nRegulatory Commentary is the review of existing and proposed legislation, regulations, and policies so as to assist the agency in preventing and detecting fraud, waste, and abuse in programs and operations. Commentaries cite the IG Act as authority for the review, state the specific law, regulation or policy examined, pertinent background information considered and identifies OIG concerns, observations, and objections. Significant observations regarding action or inaction by the agency are reported in the OIG Semiannual Report to Congress. Each report indicates whether a response is required.\n1. Refer to Appendix VII, Glossary, for definitions of sensitive\ninformation and other related terms.\n2. Announcement No. 118, dated December 22, 1997, Subject:\nRelease of Sensitive Information, To: All NRC Employees, From: L. Joseph Callan,\nExecutive Director for Operations.\n3. The FOIA Audit was a comprehensive review of procedures,\npolicies, and implementing guidance for protecting the identity of allegers\nwhen preparing and reviewing responses to FOIA requests. The FOIA Audit report\nwas issued on March 18, 1998.\nPage Last Reviewed/Updated Thursday, March 29, 2012\nHome\nNews Releases\nEvent Reports\nADAMS\nOpen Gov\nDigital Government\nStudents & Teachers\nPhotos & Video\nFor Developers\nAbout Us\nStrategic Plan\nBudget & Performance\nPerf & Accountability Rept\nHistory of the NRC\nCareer Opportunities\nNRC Ethics\nAgency Status\nContact Us\nPopular Documents\nInfo Digest\nFactsheets & Brochures\nForms\nElectronic Submittals Application\nNRC Reports \xe2\x80\x93 NUREG\nNRC Regulations \xe2\x80\x93 10-CFR\nInspection Reports\nPlain Writing\nEnforcement Actions\nRULEMAKING\nStay Connected\nBlog\nChat\nTwitter\nYouTube\nFlickr\nGovDelivery\nRSS\nRegulations.gov USA.gov Recovery FOIA No Fear EEO Inspector General  Site Map Accessibility Privacy Policy Site Disclaimer For Employees'